CVE-2025-4225: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE (CVE-2025-4225) affecting all versions from 14.1 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1. The vulnerability was disclosed on August 27, 2025, and allows an unauthenticated attacker to cause a denial-of-service condition affecting all users by sending specially crafted GraphQL requests (GitLab Release, NVD).

The vulnerability is classified as an Allocation of Resources Without Limits or Throttling issue (CWE-770). It has received varying CVSS scores, with NVD assigning a base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while GitLab Inc. assessed it at 5.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability can result in a denial-of-service condition that affects all users of the GitLab instance. The attack can be executed remotely by an unauthenticated attacker, potentially disrupting service availability for all GitLab users (GitLab Release).

GitLab has released patches in versions 18.1.5, 18.2.5, and 18.3.1 to address this vulnerability. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com has already been updated with the security fix. GitLab Dedicated customers do not need to take any action (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by the security researcher 'pwnie'. GitLab has classified this as a medium-severity issue and included it in their scheduled security release (GitLab Release).